Paradigm Shift in the Security Threat Landscape

With the evolution of Internet of Things (IoT) the security challenges for industrial security are increasing exponentially. The 25 billion globally connected devices in 2015 are expected to double by 2020. On an average, each individual is expected to be connected to six things online in terms of sensors, smart objects and device clustered systems. Under this scenario, and given the fact that the weakest link will continue to define the robustness of any organizations security architecture, security vulnerabilities are poised to increase manifold, in terms of the scale, intensity and complexity of the attacks.

The effects of these attacks, however, will not be restricted to the cyber domain alone. They will also impact the physical security of the people and infrastructure, in spite of having the best ‘physical security’ controls in terms of people, processes and technology to mitigate these threats.

The convergence between logical and traditional physical security will entail a cascading effect on these seemingly different dimensions, with the impact multiplying at every stage. For instance a cyber-breach can impact safety, which in turn would impact compliance, as also may cause physical damage by aggregating the compound effect impacting business continuity, thereby directly impinging on the bottom-line.

A combination attack using multiple threat vectors can adversely impact the market sentiments in no time. This will lead to long term brand erosion, as well as economic loss to the business, which in turn will have an adverse impact on the industry and the nation at large, especially if critical infrastructure is targeted.

This has necessitated that we create synergy across the threat landscape to deal with a combination of physical and cyber-based threat vectors. In order to achieve this objective it is important to act in a concerted manner.

As a result, chief security officers need to take care of the physical as well as the digital aspects of security and simultaneously address the increasingly complex area of compliance.

Convergence not only helps in providing enhanced level of security but also results in cost saving by integrating disparate systems and optimizing resources; both in terms of personnel, processes and technology platforms.

Case studies

Hackers targeted Sony Pictures and wiped out half of their global network. They erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. At the same time, they ensured that nothing could be recovered by using a special deleting algorithm that overwrote the data seven different ways. Subsequently the code targeted each computer’s start up software and rendered the machines brain-dead.

A group of cybercriminals successfully targeted 100 banks in 30 countries globally including US, Russia, Ukraine and China after phishing its targets with infected email attachments. The criminals used their computer exploits to dispense cash from ATMs or transfer cash digitally to accounts they controlled. The USD 1 billion haul was unprecedented in its scope, which Kaspersky reported as under investigation.

LinkedIn confirmed in 2016 that the impact of a 2012 breach in which 6.5 million users’ passwords were compromised, is now likely to be closer to 167 million users, 117 million of whom had both their e-mails and passwords exposed.

The 1768 km long Azerbaijan – Georgia – Turkey (Baku-Tbilisi-Ceyhan) crude oil pipeline connecting the oilfields in the Caspian Sea to the Mediterranean Sea was blown up by hackers. They exploited the vulnerabilities of the IP cameras communication software, to gain entry and move deep into the internal network, to blow the pipeline by over pressurizing it. This resulted in a loss of USD 1 billion in export revenue for Azerbaijan and the pipeline was out of action for 20 days.

The stuxnet virus that was used for spinning several centrifuges out of control at an Iranian nuclear facility was believed to have been transmitted using a thumb drive that was physically inserted into a computer within the facility.

Critical infrastructure is the most vulnerable with high impact

Thus, in future, critical infrastructure in particular is likely to be targeted by both terrorists and state sponsored actors, as it provides an easy option to them. Future wars will be asymmetric in nature. Economically weaker nations will inflict heavy economic loss on their adversaries to include both life and property, by using meagre resources, as compared to achieving the same using conventional means at a huge monetary cost and loss of lives.

All it takes to target critical infrastructure is a bunch of highly trained cyber hackers who require hardware, software and a high-speed internet connection, and all of this cost not more than a few hundred thousand dollars, and will to execute. The best part is that it can be done sitting anywhere in the world and one need not be physically present at the target location. The victim organization/ country cannot be very sure of the identity of the perpetrator group/ individual/ country and retaliate immediately, thereby they can virtually go scot free in terms of facing any consequences, and enjoying virtual immunity against any adverse action due to lack of stringent laws dealing with sharing of data and lack of collaboration at the global level.

Need for public private partnership and restructuring of the traditional security organization

There is a need for public private partnership to effectively deal with such scenarios, wherein we pool in the resources of the government and the private sector to address these security challenges to our critical infrastructure and the industry at large. At the same time, there is a requirement to create a CXO level appointment within the organization who should be responsible for addressing the security challenges to include both physical security as well as cyber security. The CXO should also be integrated with the Government agencies both at the national and international level, for exchange of relevant information, to strengthen and safeguard the people, assets and the infrastructure of the corporate sector.